LXC vs. Docker – What do you need for IoT?

Containers are at the centre of agile software development: from fringe open source technology to the core building blocks that power modern software systems.

Containers are at the centre of agile software development. They’ve shifted from being a fringe open source technology to the building blocks that power modern software systems. With the Internet of Things (IoT), pioneering companies in the space are now looking to containers to extend the benefits of DevOps to the unique requirements of embedded systems. As enterprises look to scale up the capabilities of their IoT environments, popular container technologies like LXC or Linux Containers and Docker top the list. You may have heard of these two technologies, but may not know what the differences are. In this post we’ll look at the history of virtualization and then outline the similarities and differences between the two technologies. Finally, we’ll describe how each fits at the smart edge to manage the Internet of Things.  

A brief history of the container

Containers were popularized as a lightweight alternative to Virtual Machines (VMs). VMs are virtualized hardware servers that allow users to install and run guest operating systems (OS) over an existing host machine OS. This means that applications developed in any OS environment could be run on any system. Unfortunately, VMs come with high overhead, maintenance costs, and large image sizes that can over-allocate resources to each instance of an OS running on them. Containers on the other hand are virtualized software environments that package an application’s code and its dependencies so that applications can be run side-by-side in isolation on any host machine, and allocate resources as required.

Source: Docker

LXC and LXD – Containerizing an operating system

Container technology was first introduced in 2001 through Jacques Gélinas’s Linux-VServer project. This early form of container technology underwent several redesigns such as the addition of cgroup functionality that allows the limitation and prioritization of resources (CPU, memory, block I/O, network) without the need for starting any virtual machines; and also the namespace isolation functionality that allows for the complete isolation of an application’s view of the operating environment, including process trees, networking, user IDs and mounted file systems and namespaces (source: Resource management: Linux kernel Namespaces and cgroups). 

In 2008, IBM engineers added a layer of userspace tooling to make the technology more palatable to developers. 

In 2014, the LXC 1.0 release further addressed LXC security concerns by leveraging existing Linux technologies such as seccomp and SELinux to control and protect against DoS attacks from malicious code breaking out of containers. 

A LXC container works by employing OS-level virtualization that allow several Linux virtual environments to run simultaneously on a shared hardware and Linux-based OS kernel. This saves overhead costs and allows applications to be built for use across diverse device types. In essence, LXC focuses on system and OS level containerization and that’s where they excel.

LXD – an upgrade for LXC Containers

LXD has been described as the next generation system container.  It enhances system level containerization with a REST API that can connect to the LXC libraries. Written in Go, it creates a system daemon that apps access through a UNIX socket via HTTPS further expanding the possibilities of distributed systems portability. LXD builds on top of LXC and extends its capabilities through the kernel rather than sitting independent of the OS. It acts much like a VM with a hypervisor, but without the resource overhead.  

Docker – Containerizing applications

While Linux containers are mainly at the system level, Docker’s focus is on application containerization. Launched in 2013, Docker was initially based on LXC and added user-friendly tools to attract developers looking for alternatives to bulky VMs. Eventually, Docker diverged from LXC by developing its own containerized architecture. 

Docker and LXC share similar security and process isolation features that ensure running processes are restricted from over-utilizing resources. However, they are actually very different technologies – each Docker container runs a single virtualized application engine, whereas LXC containerizes the system, or different components of the Linux OS userland.

A Docker container packages a single application or application component, rather than a guest OS. It has a Docker daemon that runs directly on the host OS. Furthermore, each containerized application runs in isolation without affecting any other applications running simultaneously in the host machine.

Linux containers vs Docker in the world of IoT

Docker is popular among cloud developers for several reasons. They can easily host and download single apps from the extensive ecosystem at Docker Hub. In addition to this, Docker makes building and managing CICD pipelines incredibly easy, efficient and portable.  LXD, on the other hand, is principally used by Release teams who operate Linux and who need lightweight system level virtualization.

In the embedded world, developers are working under a different set of requirements and constraints than cloud developers. Most embedded devices are fixed-function, single purpose designs constructed to perform one thing well and are frequently customized for that specific function. Because of this high level of customization, the Linux distro itself is specialized to contain only the modules and packages strictly necessary to help the app perform its function on the device.   

Since Linux containers are more suitable for system level containerization, they are perfect for devices that need a portable and specialized OS.

Comparison between Linux Containers and Docker

Linux ContainersDocker
VirtualizationLXC provides full system virtualization. Docker only provides application virtualization. 
Operating System SupportProvides a base system environment that supports the core features of Linux systems. Runs natively on Linux but also supports other OS’ like Windows and macOS. Docker natively uses the operating system it’s running on. 
Ecosystem and toolingOperates with the same bare metal tooling and Linux open source tools that system administrators are familiar with. 
Linux containers are as close to Linux as you can get and therefore operate with any other Linux supported tools. 
Docker Hub is a public image repository that provides access to popular applications.

Docker is managed by its own custom tooling that is supported by a large community of cloud native open source projects that principally work with Kubernetes. 
Ease of useBecause it’s a pure Linux operating system, it is easier to migrate and port applications from one linux system to another.  The problem lies more in managing the distro itself and keeping kernel, modules and libraries compatible from one distro  to the next. Docker has a wide following with a robust ecosystem and large community of users. It’s simple to get started and to deploy applications wherever you need to. 

Key advantages for both Docker and Linux Containers in IoT projects

In an IoT environment where almost all devices are operating on Linux. A more lightweight container like LXC allows for more efficient updates to the OS. However equally beneficial to embedded developers is the ability to easily create containerized CICD pipelines in order to deliver apps and OS updates to the linux device. 

Another benefit with Linux containers is that Linux is familiar to most IoT release teams.  Linux is highly customizable.  Linux containers can help control any customizations to the OS and make it portable across all embedded devices in a network. This makes it simpler for organizations to support DevOps workflows and other best practices for their IoT projects.

Pantavisor Linux a framework for building containerized IoT systems

Pantavisor Linux is an IoT device management solution that leverages Linux containers to deliver DevOps to the OS when managing device software lifecycles at the edge. Pantacor Hub manages device profiles from a central cloud system and allows teams to deploy atomic updates continuously to embedded devices at scale. 

Pantavisor Linux uses LXC and LXD to build a modular containerized version of the embedded OS that is fully customizable to meet the exact needs of your IoT project. In addition to this, any Pantavisor Linux device can run any Docker container downloaded from the ecosystem and can run them as Linux containers while maintaining the convenient Docker root stack for portability. Read more about the Pantacor platform.

Final Thoughts

We recently released Pantabox, a self-contained frontend for managing Pantavisor Linux, our framework for building containerized linux systems for IoT.  Try it out for yourself with one of the step by step guides.  Join our slack community and let us know your thoughts.